* 1.2.5 -- 2025-08-05

- acmpca-iam-rolesanywhere: add file_prefix and file_prefix_separator
terraform-modules · Aug 5, 2025 · 2565a02 · 2565a02
1 parent e18fd4b
commit 2565a02
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -49,3 +49,6 @@
 
 * 1.2.4 -- 2025-08-01
   - acmpca: add creation of certs/.gitignore containing *.key *.csr *.crt
+
+* 1.2.5 -- 2025-08-05
+  - acmpca-iam-rolesanywhere: add file_prefix and file_prefix_separator
diff --git a/acmpca-iam-rolesanywhere/README.md b/acmpca-iam-rolesanywhere/README.md
@@ -19,6 +19,7 @@ The certificate issued will be good for 365 days by default, but you may select
 This shows the module call with how you would use it.
 
 ```hcl
+data "aws_iam_account_alias" "current" {}
 module "certificate" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-iam-rolesanywhere"
 
@@ -28,6 +29,8 @@ module "certificate" {
 ## optional
 ##  certificate_subject_ou = "IAM RolesAnywhere EDL"
 ##  validity_days = 30
+##  file_prefix = data.aws_iam_account_alias.current.account_alias
+##  file_prefix_seprator = "_"
 
   tags = merge(
     local.base_tags,
@@ -38,6 +41,13 @@ module "certificate" {
   )
 }
 ```
+
+# Usage: file\_prefix and file\_prefix\_separator
+Use this if you want to clearly separate the output files for common role names across multiple accounts.  A recommended value
+here is the AWS Account Alias, which you can get from the `data` resource `aws_iam_account_alias.account_alias` (see example above).
+If you pass a value, it will use this value along with the value of `file_prefix_separator` (by default, a dot).  By default, the
+prefix is not used.
+
 # Sample Output Fields
 ## certificate\_details
 ```hcl
@@ -130,6 +140,8 @@ certificate_subject = {
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_certificate_subject_ou"></a> [certificate\_subject\_ou](#input\_certificate\_subject\_ou) | Specific OU to use in the certificate subject. Default is 'IAM RolesAnywhere {account\_id}' | `string` | `null` | no |
 | <a name="input_contact_email"></a> [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address. | `string` | n/a | yes |
+| <a name="input_filename_prefix"></a> [filename\_prefix](#input\_filename\_prefix) | Prefix to include in the filename leading to {prefix}{separator}{rolename}.{ext} | `string` | `null` | no |
+| <a name="input_filename_prefix_separator"></a> [filename\_prefix\_separator](#input\_filename\_prefix\_separator) | Prefix separator (default: .) | `string` | `"."` | no |
 | <a name="input_import_to_acm"></a> [import\_to\_acm](#input\_import\_to\_acm) | Flag to import certificate to ACM, used primarily for tracking expiration and establishing contact details | `bool` | `true` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | IAM RolesAnywhere Role Name (including r- prefix if necessary) | `string` | n/a | yes |

diff --git a/acmpca-iam-rolesanywhere/main.tf b/acmpca-iam-rolesanywhere/main.tf
@@ -19,6 +19,7 @@
 * This shows the module call with how you would use it.
 *
 * ```hcl
+* data "aws_iam_account_alias" "current" {}
 * module "certificate" {
 *   source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-iam-rolesanywhere"
 * 
@@ -28,6 +29,8 @@
 * ## optional
 * ##  certificate_subject_ou = "IAM RolesAnywhere EDL"
 * ##  validity_days = 30
+* ##  file_prefix = data.aws_iam_account_alias.current.account_alias
+* ##  file_prefix_seprator = "_"
 *
 *   tags = merge(
 *     local.base_tags,
@@ -38,6 +41,13 @@
 *   )
 * }
 * ```
+*
+* # Usage: file_prefix and file_prefix_separator
+* Use this if you want to clearly separate the output files for common role names across multiple accounts.  A recommended value
+* here is the AWS Account Alias, which you can get from the `data` resource `aws_iam_account_alias.account_alias` (see example above).
+* If you pass a value, it will use this value along with the value of `file_prefix_separator` (by default, a dot).  By default, the
+* prefix is not used.
+*
 * # Sample Output Fields
 * ## certificate_details
 * ```hcl
@@ -97,6 +107,7 @@ locals {
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
   region              = data.aws_region.current.name
   region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+  filename_prefix     = var.filename_prefix != null ? format("%v%v", var.filename_prefix, var.filename_prefix_separator) : ""
 
   base_tags = {
     "boc:tf_module_version" = local._module_version
@@ -115,10 +126,10 @@ module "certificate" {
   certificate_cn                = var.role_name
   contact_email                 = var.contact_email
   create_files                  = true
-  certificate_filename          = format("%v.crt", var.role_name)
-  certificate_chain_filename    = format("%v.chain.crt", var.role_name)
-  key_filename                  = format("%v.key", var.role_name)
-  csr_filename                  = format("%v.csr", var.role_name)
+  certificate_filename          = format("%v%v.crt", local.filename_prefix, var.role_name)
+  certificate_chain_filename    = format("%v%v.chain.crt", local.filename_prefix, var.role_name)
+  key_filename                  = format("%v%v.key", local.filename_prefix, var.role_name)
+  csr_filename                  = format("%v%v.csr", local.filename_prefix, var.role_name)
   certificate_authority_mode    = "general"
   certificate_type              = "end-entity"
   certificate_subject_overrides = { ou = local.certificate_subject_ou }

diff --git a/acmpca-iam-rolesanywhere/variables.tf b/acmpca-iam-rolesanywhere/variables.tf
@@ -41,3 +41,15 @@ variable "import_to_acm" {
   type        = bool
   default     = true
 }
+
+variable "filename_prefix" {
+  description = "Prefix to include in the filename leading to {prefix}{separator}{rolename}.{ext}"
+  type        = string
+  default     = null
+}
+
+variable "filename_prefix_separator" {
+  description = "Prefix separator (default: .)"
+  type        = string
+  default     = "."
+}
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.2.4"
+  _module_version = "1.2.5"
 }